Guide to GDPR Re-Permissioning



With the release of GDPR, you’ll want to take some initial steps around contacting and informing your existing EU subscribers to ensure that you remain GDPR compliant. Going forward, you’ll need to provide a GDPR compliant signup process for all new EU subscribers.

This guide shows you how to segment and identify your current EU subscribers, how to use the special $consent property in Klaviyo emails, and then how to send a re-permissioning campaign to your EU subscribers.

Check out our blog series on GDPR for more information.


The information provided here is intended to be educational and should not be construed as legal advice. Klaviyo encourages all of our customers -- and all ecommerce merchants -- to seek legal advice for counsel on how they specifically should prepare for GDPR.

Creating a Segment of Your EU Customers

Log in to your Klaviyo account, then navigate back to this document. When you click the button below, we will auto-populate a segment in your account that includes all profiles in countries that are impacted by the GDPR regulations. This segment identifies these profiles using the $country property, which Klaviyo ascribes using the customer’s billing address or, if that’s not available, using their GEO IP Address.

Because not everyone will have engaged in activities that result in either of those address types being added to their profile, this segment will not reliably capture all contacts impacted by GDPR. It is strongly advised that you edit this segment by adding any additional location information or unique identifying information to capture all of your contacts in impacted regions.

Create a GDPR segment in my Klaviyo account

This segment will have the following conditions:

Use this segment when sending your GDPR re-permissioning campaign.

Using the $consent Property 

The $consent profile property in Klaviyo is a special profile property used to track the GDPR consent that the profile has agreed to. It has 5 supported values, which are the channels through which you can contact a customer: email, web, mobile, sms, directmail. When added to a customer's profile this property is stored as a list of consent values.

To collect and store consent information from your EU subscribers, you can use specific "consent" template tags. When added to an email, each tag produces a link that a customer can click on to provide their consent.


Customers are directed to a default confirmation page after clicking on a consent option. The default consent page appears as follows:

You can direct your customers to a custom success page by adding a redirect URL to your own custom page as an argument to the consent tag.

The table below breaks down the consent links available and the various options for each link. In the Examples column below, the fictional business KlaviyoTees is redirecting all customers that consent to a custom success page that is hosted at

Template Tag Inputs Submit Values Examples
consent_link_email Optional: Redirect URL ["email"]

{% consent_link_email %}

{% consent_link_email '' %}

consent_link_web Optional: Redirect URL ["web"]

{% consent_link_web %}

{% consent_link_web '' %}

consent_link_email_web Optional: Redirect URL ["email", "web"]

{% consent_link_email_web %}

{% consent_link_email_web '' %}


Required: list of $consent values

Possible values include: email, web, sms, mobile, directmail. Other values will not get saved to the profile.

Optional: Redirect URL

Depends on the variables in the template tag

{% consent_link 'email,web,mobile' %}

{% consent_link 'email,web,mobile' '' %}


When a customer clicks one of these links to provide their consent, a $consent property is added to the customer's profile, where the value equals the type of consent the customer provided.

This profile property allows you to segment your customers based on their consent preferences.

In order to send multiple re-permissioning campaigns, you'll want to filter out any of your customers that do provide consent. To to this, modify the GDPR segment you added to your account with the following condition.

Sending a Consent and Re-Permissioning Campaign

Your GDPR re-permissioning campaign is an opportunity for you to outline the perks that your customers receive by remaining subscribed -- sale emails, access to new products, etc. However, you cannot incentivize customers to remain subscribed. This means that you can’t offer a deal, like 15% off their next purchase, to entice them to keep receiving emails.

To send a re-permissioning campaign, target your EU subscribers with a series of 2-3 emails, where each email explicitly asks for consent to continue to receive marketing communications from your business.

To help you get started, we've included a GDPR template in your Klaviyo account called "GDPR Re-permissioning," which you can find in your email template library when you create a new email. 


The template includes GDPR compliant language, along with pre-built buttons that customers can click to provide their consent. You can update the branding of this template to match your business and update the consent links to match the marketing channels you use. If you would like to send this email in a language other than English, you can find the text translated into a number different languages here.

Here's what you need to include when building your GDPR consent template:

  • Explicit and clear language describing the data you're collecting and how you plan to use it
  • A link to your privacy policy along with Klaviyo's privacy policy
  • A link to consent to marketing communications through specific channels you use

When adding consent links, you have the ability to accept consent through multiple channels with a single link. Because GDPR requires you to provide granular options, you can only provide multi-channel links if you've also provided separate individual links for each channel.

For example, in our GDPR default template we include individual consent links for email communications as well as online advertisements. Because both of these individual consent links are included, we can also include a combination link and remain GDPR compliant.

Include a Dynamic Consent Block for EU Subscribers

In addition to a dedicated re-permissioning strategy, you can include a dynamic block in the footer of your regular newsletter emails. This dynamic block should display only to EU subscribers, prompting them to confirm their subscription.

First, export the segment of EU subscribers outlined above as a CSV. Then, add a column to the document identifying these contacts.


Re-upload the CSV, and you will be prompted to map the new property to an existing custom property or create a new one. Create a new custom property that will allow you to target these subscribers in the content of your email. Next, you can use this criterion to show the block to all (and only) EU subscribers.


For the content of the text block, include the necessary GDPR compliance language and special $consent links needed.

The special $consent property will be added to anyone who confirms their subscription. 

Suppress EU Subscribers That Do Not Provide Consent

Anyone in your EU subscribers segment who does not opt in by May 25, 2018 should be suppressed in your account to prevent you from accidentally emailing them. Once you’re finished running your re-permissioning campaign(s), ensure that you've filtered out any of customers that provided consent from your GDPR segment. To do this, add the following condition (if you haven't already) to the GDPR segment you created above.

Suppress this segment to ensure that you don’t inadvertently email these contacts. If they later decide that they want to opt back in, they can resubscribe. 

Additional Best Practices

In order to maintain your GDPR compliance, you’ll want to adhere to the following best practices going forward.

  • Display links to your Privacy Policy, Terms of Service, and cookie policy in all of your emails.
  • Use double opt-in.
  • Use a GDPR compliant signup form to collect email addresses going forward. You can find a pre-built, GDPR compliant embedded form by navigating to List Name > Signup Forms > GDPR Embed. Learn more about how to install an embedded GDPR compliant form. Additionally, use a GDPR compliant popup or flyout.
  • Understand what consent means:
    • Freely given. In other words, you can’t mislead or force someone into letting you use their information. They must be given a legitimate choice -- and you can’t withhold a service or transaction on the basis of consent if that consent is not integral to the service or transaction.
    • Specific. Consent to process personal data must include details around both the purpose of the processing and the type of processing.
    • Informed. Closely tied to the idea of specific consent, informed consent simply means that the individual data subject must be told how their data is going to be used and why of the specific purpose for and type of data processing.
    • Unambiguous. And to go one step further, consent under GDPR must be obtained through clear language and indicated through affirmative action on the part of the data subject.
    • Easy to withdraw. Though not called out in the definition of consent upfront, Article 7 of the GDPR goes on to specify that consent must be as easy to withdraw as it is to grant.
Was this article helpful?
11 out of 11 found this helpful